1. Field of the Invention
The present invention generally relates to malware detection and in particular to identifying communication originating from malware operating on a computing device.
2. Description of the Background Art
Computer networks and systems have become indispensable tools for modern data communication. Terabits of information are communicated by computer networks throughout the world. Much of this information is, to some degree, confidential and its protection is required. However, security threats have become increasingly able to evade conventional signature or pattern based detection techniques. In addition to viruses, additional types of malicious software (“malware”), such as zero-day attacks, denial of services, targeted threats, mass variant attacks and blended threats have become increasingly common methods for damaging computing systems and accessing data. One type of malware referred to as a “Trojan” is particularly difficult to prevent from harming a computing device.
A Trojan is a malicious program, or executable process, that is disguised as a benign program to avoid detection by conventional signature or pattern-based detection methods. Trojans typically include a payload that, when executed by a computing device impair the computing device's performance or communicate data from the computing device to a server without the knowledge or permission of the computer system's user. Further, it is increasingly common for a Trojan to disable, or trick, an anti-virus client or other security system executing on a computing device, rendering the security system on the computing device unable to remove or block the activity of the Trojan. This results in a Trojan executed by a computing device freely requesting data from a malicious server or transmitting data from the computing device.
Because conventional methods for detecting communication from a Trojan executing on a client device to a server rely on detection of patterns unique to the Trojan, conventional methods are unable to identify Trojan communication until a pattern or signature is associated with the Trojan. This allows newly-identified Trojans to communicate data without detection.